Structured codes improve the Bennett-Brassard-84 quantum key rate 
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A central goal in information theory and cryptography is finding simple characterizations of 
optimal communication rates subject to various restrictions and security requirements. Ideally, the 
optimal key rate for a quantum key distribution (QKD) protocol would be given by single-letter 
formula involving a simple optimization over a single use of an effective channel. We explore the 
possibility of such a formula for one of the simplest and most widely used QKD protocols — Bennett- 
Brassard-84 (BB84) with one way classical post-processing. We show that a conjectured single-letter 
key-rate formula is false, uncovering a deep ignorance about asymptotically good private codes and 
pointing towards unfortunate complications in the theory of QKD. These complications are not 
without benefit — with added complexity comes better key rates than previously thought possible. 
We improve the threshold for secure key generation from a bit error rate of 0.124 to 0.129. 



Quantum key distribution (QKD) allows two parties 
using public channels to remotely establish a secret key 
whose security is not predicated on the difficulty of some 
computational task. Rather, the security of the key gen- 
erated by a QKD protocol depends only on fundamental 
laws of physics. As a result there has been an enormous 
amount of work on practical and theoretical aspects of 
QKD, and a corresponding rapid progress in both 

The first QKD protocol was proposed by Bennett and 
Brassard in 1984 [2[ , and like all QKD schemes, it is based 
on the tradeoff between information gain and disturbance 
in quantum mechanics. To establish a bit of raw key, the 
sender (Alice) encodes a random bit into one of two con- 
jugate bases {X or Z), chosen at random, and transmits 
it to a receiver (Bob). Bob measures in cither the X or 
Z basis, also chosen at random. After generating a large 
number of bits (say, 2n), Alice and Bob can sift out the 
bits for which they both chose the same basis by public 
discussion, leaving roughly n bits. 

Alice then randomly permutes her remaining bits and 
announces the permutation to Bob, after which they per- 
form parameter estimation by comparing a small fraction 
of their bits to find the error rate of the sifted key. If the 
fraction p of bits on which they disagree is sufficiently 
small, they proceed with information reconciliation and 
privacy amplification to finally arrive at a secret key. The 
essence of the protocol is that if an eavesdropper Eve, 
who is assumed to have control of the quantum channel, 
examines the signals in order to determine the key, she 
will necessarily cause some disturbance which manifests 
itself as errors in the sifted key. Thus p also characterizes 
how much Eve could have learned about the key. 

An important property of any QKD protocol is the 
amount of noise that can be tolerated without compro- 
mising the privacy of the resulting key, the amount of 
noise at which the protocol aborts. The entanglement- 
based security proof of Shor and Preskill Q showed that 
BB84 can be used to generate private key for detected 



bit error rates as high as p sa 0.11, basically by showing 
there exist Calderbank-Shor-Steane (CSS) [1, Q codes 
correcting noise up to this level. Remarkably, it was re- 
cently found 0,0] that this can be improved to p f=a 0.124 
if Alice adds independent noise to her sifted key before 
performing the distillation steps, which has been conjec- 
tured to be optimal among all one-way key distillation 
protocols 0. The key rates of [|| come from evaluat- 
ing a single-letter key rate for an effective state found by 
Devetak and Winter in Q, and indeed the 0.124 thresh- 
old of is the optimal threshold for this single-letter 
formula [2l| . If these rates were optimal among all proto- 
cols, it would indicate a single-letter formula for one-way 
QKD key-rates, providing a dramatic simplification in 
the theory of quantum key distribution protocols. 

We will show that p « 0.124 is not optimal, and the 
threshold is at least p f» 0.129. We increase the threshold 
by finding improved error correcting codes for the infor- 
mation reconciliation phase. The technique is analogous 
to those of use degenerate CSS codes 

to achieve higher quantum capacities than are achievable 
by the single-letter formula for quantum capacity arising 
from random stabilizer codes. Though the true maxi- 
mization needed for the multi-letter capacity formula in 
0] remains out of reach, we are able to evaluate rates for 
particular multi-letter inputs which achieve higher key 
rates than the single-letter maximum. While this is sug- 
gestive, we emphasize that our results to not necessarily 
rule out a single-letter formula for the one-way key-rate. 
We have shown that the single-letter Devetak- Winter for- 
mula does not give the one-way distillable key, but this 
does not preclude the existence of some other single-letter 
optimization problem that gives the optimal key rate. 

Taken together, our information reconciliation and pri- 
vacy amplification steps can be described by a highly 
degenerate CSS code. A quantum code is called degener- 
ate if its syndrome does not uniquely identify the errors 
which it corrects. This is a uniquely quantum effect — 
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there is no such thing as a degenerate classical code-and 
all such codes involve entanglement. It appears remark- 
able then that degeneracy should help in the classical 
processing task of key distillation. Moreover, Alice and 
Bob need not perform any multi-particle quantum oper- 
ations even in our improved protocol. The resolution is 
that Eve's best attacks involve entanglement, and degen- 
eracy will make this work against her. 

Degenerate codes have been used for QKD before; 
specifically, to improve the threshold of the six-state pro- 
tocol from 0.126 to 0.127 [T^. However, this protocol did 
not involve noisy processing, and in fact a better thresh- 
old was obtained for the six-state protocol by @, 0| ■ Our 
result combines degenerate codes with noisy processing, 
leading to an advantage over either one alone. 

Analytic key rate expression — To determine the secret 
key rate of the modified protocol, we follow @, @, [Hj]. 
First, the prepare & measure protocol can be converted 
to an equivalent scheme in which Alice prepares the 
maximally- entangled state l^" 1 ")®^™ and sends half to 
Bob. Each party then randomly and independently mea- 
sures either X or Z on each signal, saving the outcomes 
for use in parameter estimation and key generation. They 
discard the outcomes where their basis choice did not 
agree, and denoting the remaining outcomes K a and Kb 
it follows from Corollary 6.5.2 of [l3[ that for any m-bit 
processing step K™ — * U and U — > V it is possible to 
use standard (i.e., unstructured, random) error correc- 
tion and privacy amplification to distill secret key at rate 

r = — inf \S(U\VE m )- S(U\VK%)], (1) 
m tr AB er p 

evaluated on the state generated by performing the pro- 
cessing on cr®^ , an( i where T p is the set of single pair 
Bell-diagonal states gab passing the parameter estima- 
tion phase of the protocol and E m is the purification 
of 

a AB > which wc must assume belongs to Eve. S(p) — 
— Tr p log p is the von Neumann entropy. This expression 
is similar to what was found in d, 0| , with the additional 
feature that it includes blockwise processing. Since the 
X and Z bases are randomly used to create the sifted key, 
the error estimation provides an estimate of the bit- and 
phase-flip noise rates, so that the allowable o~ab are of 
the form a AB = (l + t-2p)|*+)($+| + (p-t)(|$-)($-| + 
|*+)(*+|) + t\^-)(^-\ for t S [0,p\. 

Below, we choose a particular K™ —> U ^ V for which 
Eq. {!]) outperforms all previously known protocols for 
large p. The measurements leading to Ka and Kb will 
be the same as for the usual BB84 protocol, with the 
processing step chosen as follows. For each m bit block 
of Ka, (x\, X2, ■ ■ ■ , x m ), Alice independently flips each 
bit with probability q, resulting in x = (i\, . . . , x m ). She 
then computes U = (£i,xi ® X2, ■ ■ ■ ,x\ ®x m ) and sends 
V = (x i © x 2, . . . , x\ © x m ) to Bob, after which they do 
error correction and privacy amplification as usual. The 
key rate they achieve is given by the following theorem. 



Theorem 1 The key rate achieved using the processing 
x — > U — > V with U = (xi, x\ © £2, ■ ■ ■ , x\ © x rn ), V = 
(x\®X2, ■ ■ ■ , xi®Xm), where x = xffif and f is a string of 
independent 0-1 random variables, each with probability 
q of being 1, is given by 

r = 1^1 - X>£(s)if (P£Ms)) + mS{ Pp . q ) 

- S Q/C + \_Z® m pt™Z mm ) ) ■ (2) 

Here p p . q = (1 - q)\ip+)(ifi+\ + q\if-)(ip-\ with \ip±) = 
VT=p\0)± y /p\l) ) P = p(l-q) + q(l-p) ) while Pf n (u,s) 
is defined in Lemma\^ The entropy H of a classical prob- 
ability distribution P is given by H(P) = — Pi log P;. 

We proceed by noting that in the entanglement picture, 
our processing step is equivalent to Alice first adding in- 
dependent bit errors to her halves of the noisy EPR pairs, 
measuring the stabilizers of an m qubit repetition code, 
and then sending her syndrome outcomes to Bob. We 
apply the following lemma, which follows from (llj . 

Lemma 2 The m qubit repetition code with stabilizers 
Z1Z2, ••• , Z\Z m maps the error X U Z V to the logical error 
X ul Z®^ lV ' and syndrome s = (m © U2, ■ ■ ■ U\ © u m ). 
When used to correct independent bit errors of probability 
p, the probability of a logical bit error u and syndrome s 
is given by 

pZ l (u,s) = (p m - s (i-py) v (p s (i- P r- s ) 1 - u , (3) 

for s=\s\. 

Proof of Theorem [TJ To evaluate Eq. JT]), first let 

<b = £puv^^[|$+)(4>+|]^ZM, (4) 

u.v 

with p uv such that p u = ^2 v p uv = p' u '(l — p)" l ~l u l, for 
measured bit error rate p, and similarly for p v . 

Alice adds independent noise at error rate q to the A 
register, so the state of the Alice-Bob-Eve system can be 
described as 

E VP^Tt\f)A>X%Z B X B |<fr + >f£|u) Bl |v) B2J (5) 

u,v,f 

where we have used the fact that Xa <S> I\$> + )ab = I ® 
X b\& + ) ab ■ Note that Eve's system is determined by the 
fact that in the worst case she holds the purification of 
the state after it emerges from the channel. However, she 
does not hold the purification of the noise Alice adds. 

Alice and Bob then measure the stabilizers of the m- 
qubit repetition code (Z1Z2, ■ ■ ■ ZiZ m ) and Alice sends 
her outcomes to Bob. This is equivalent to having Bob 
defers his measurement until he receives Alice's message 
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and then coherently correcting his key bit, which we will 
consider here. Renaming Bob's m — 1 syndrome qubits 
system B' , the state they'll share in this case is 

Eu.v,f V^Wa'Xb^Zb^I^ab (6) 
®\s u .f) B ,\u) El Z f E2 \v) E2 , 

where s u f is an (m— l)-bit string labeling the basis states 
of B' whose jth bit is (s U! f)j = u\ © Uj+i © fx © fj+i- 
Note that the Z acting on Eve's second system comes 
from the commutation of Zg and X B . 

Getting rid of the A' system (but keeping it from Eve) , 
we now let Alice and Bob measure systems A and BB' 
in the computational basis, respectively. According to 
Eq. QJ, the difference of conditional entropies for the 
resulting state will give us the key rate. This will be 
simpler to analyze by first rewriting the lower bound as 

r>— inf I(A; BB') - I(A; E). (7) 
I 



I(A; BB') is the mutual information (I(X; Y) = S(X) + 
S(Y)-S(XY)) of pabb' = \ Ex=o \ x )( x \a®P b , b , where 

PB'B = EE 9fPu \ X +h+ U l)( X +fl+ U l\B ® |Su,f)(s u ,f| 
f u 

1 

s u— 

and the P^(u, s) are given by Lemma [2] Thus, 
the mutual information, I(A;BB'), is exactly 1 — 
J2 s p £i( s ) H ( p £i( u \ s ))- Notice that this term only de- 
pends on p u , which is determined by the parameter esti- 
mation phase, so it will be the same for all gab G r p . 

Turning to the second term in Eq. ([7]), we want to 
find the mutual information of the Alice-Eve system, 

PAE 1 E 2 = \ Ex=0 \ X )( X U ® P% 1 E 2 > where 



= ( Z TT I E 

U,Vl,V2,f 



|u)(u| El <g> ^p—p^Z f \vi)(v 2 \E 2 Z f (Z 



E 2 ) 



(8) 



Note that the (Zf 2 m ) x comes from the action of Z®i=i*" 
on £>. When bit and phase errors are independent, 
this expression can be further simplified. Defining p = 
E u Pu|u)(u| and p p . q = (l-q)\(p + ){(p + \+q\(p_)((p_\ with 
\<P±) = p|0) = ' = v / pI-'-)' we can wr ite 



(9) 



Actually, we have to maximize I(A; E1E2) over all p uv 
corresponding to states in oab G r p , but the largest 
value is attained for independent phase and bit errors. 
This means that Eve's optimal attack on the protocol 
will be to choose (tab G Tp with t = p 2 . In particular, 
if Eve starts with the independent u, v state, by tracing 
out the Ei system and using the isomctry 
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\ u )e 3 \v)e 2 v B2 



(10) 



then completely dephasing E3, she can construct a 
Pae 2 e 3 with the same mutual information as if the errors 
were distributed according to p u \ v p v . Since mutual infor- 
mation cannot be increased by local operations, the in- 
dependent noise state must have the largest value. More- 
over, as the Ei system is uncorrelated with AE2, I (A; E) 
can be easily computed, yielding 



I(A;E) = S[-p« 



1 



7J Z Pp,q Z 



- mS(p Pt q). 



Taking the difference between I(A;BB') and I(A;E), 
keeping in mind we must send m qubits for each m-block, 
leads to the overall key rate of Eq. @ . □ 
Numerical key rates — We now evaluate Eq. ([2]) for par- 
ticular p, q, and m. S(p Piq ) is easily calculated and the 
second term can be evaluated efficiently via Eq. © . The 



most difficult term is S {\pf™~ 



1 Z® m p®™ Z® m ) , but it 



can be handled as follows. Due to the permutation 
invariance of the state p®™ , it is compactly expressed as 
a direct sum over the SU(2) irreducible representations 
(irreps). Each irrep occurs with some degeneracy, giv- 
ing a permutation factor, which by Schur's lemma [14 1 
is maximally- mixed. Using the expression for multiple 
copies of a qubit mixed state from [l5j], which gives the 
irreducible states of p®™ as a function of its Bloch vector 
and doing the same for Z® m p®™Z® m , we can compute 
S {\pf™+\Z® m p®™Z® m ) for m up to several hundred. 

In general, larger m gives higher thresholds with the 
optimal q « 0.3 increasing slowly with m (FIG [lj. 
m=400 and g=0.32 give nonzero key rate up to p=.1292, 
but for larger m the computation becomes quite slow. 

Discussion — Given the pattern of improving thresh- 
olds with larger m, it is tempting to guess the best thresh- 
old within our family of codes will be when m — ► 00 as 
q —> 0.5. While we have not been able to do so, we hope 
that an asymptotic analysis of our key rates in the limit of 
large m could be tractable. Along these lines, note that 
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FIG. 1: Bit error rate p at which the key rate goes to zero 
as a function of processing noise q when using various-sized 
repetition codes in the BB84 protocol. The curves are, from 
bottom to top, m = l,m = 10, 20, . . . 100, illustrating the fact 
that a longer repetition code allows a higher threshold. As m 
is increased, the optimal q also grows. Taking m = 400 and 
q = 0.32 gives our best threshold of 0.1292. 



an exact analysis of large repetition codes in the context 
of quantum capacities was successfully carried out in Q . 

We note that our codes are highly restricted, and it is 
not at all clear that they should be optimal. One idea for 
better rates is to adapt the concatenation of repetition 
codes in conjugate bases used in 0, EH to key genera- 
tion, using a repetition code in the X basis to improve 
privacy amplification. A more ambitious approach is to 
develop new degenerate codes for this problem, perhaps 
using the heuristic suggested in [11|. 

The best upper bound on the BB84 key rate is 
H(l/2-2p(l-p))-H(2p(l-p)) 0. This gives an upper 
bound on the threshold for BB84 of p = (l-l/\/2)/2 w 
0.1464, matching the bound due to the optimal individ- 



ual attack found in [17| . There remains a significant gap 
between our lower bound of 0.129 and this upper bound. 

Our one-way protocols bear a striking resemblance to 
two-way protocols using advantage distillation In 
particular, an advantage distillation protocol can be de- 
scribed as using a repetition code, with Bob sending the 
syndromes back to Alice. Error correction and privacy 
amplification are performed on blocks for which no er- 
ror is detected, while the blocks for which an error is 
detected are thrown away. Without back communication 
from Bob, Alice would not know the syndromes, and thus 
be unable to discard blocks in which Bob had detected an 
error. Our findings show that even in this case, with Al- 
ice ignorant of the syndromes, and thus unable to discard 
bad blocks, there is still a benefit in using a repetition 
code. The repetition code works "better than expected" , 
because it collapses many phase errors to a single logical 



phase error, while still providing information about bit 
errors. This benefit should also appear when the code is 
used for advantage distillation with noisy processing. 

One-way protocols with noisy processing can be viewed 
quite naturally as distillation protocols for twisted EPR 
pairs [H, ■ In [l!| it was shown that noisy processing 
can be interpreted as the deflection of Eve's correlations 
away from the sifted key into a "shield" system, which 
purifies the noise added by Alice. Viewed in this way, 
the benefit of a repetition code is that it allows us to 
combine the "soft" approach of deflecting phase errors 
and the "hard" approach of correcting bit errors - while 
learning about bit errors that we must correct, we are 
simultaneously decreasing Eve's correlation with the key, 
reducing the need for privacy amplification later. 
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